************************************************ 1. Transparent Firewall ************************************************ --------------------------------------------- 1. Normal CLI Initialization of FTD-T --------------------------------------------- A. Login - (admin/Admin123) B EULA - YES C. Configure an IP Address to the Management Interface FTD-T IPv4 Address: 192.168.100.53/24 - DGW = 192.168.100.254 DNS: None D. Set the Mode - Transparent E. Configure Manager relationship Both configure manager add 192.168.100.50 cisco123 --------------------------------------------- 2. Add FTD-T --------------------------------------------- Devices -> Device Management -> Add Device Host: 192.168.100.53 Name: FTD-T Registration Key: cisco123 Configure the Default Policy with Block All Enable the Licenses and Add --------------------------------------------- 3. Assign the Interfaces to the Zones --------------------------------------------- Devices -> Device Management -> FTD-T -> Edit -> Interfaces Gig0/0 Name: Outside Enabled: Checked Zone: OUTSIDE-T Gig0/1 Name: Inside Enabled: Checked Zone: INSIDE-T --------------------------------------------- 4. Assign an IP Address to the BVI Interface --------------------------------------------- 1. Add Bridge Group Interface Interfaces: Gig0/0 Gig0/1 IPv4 Address: 10.20.20.10/24 Click Save --------------------------------------- 5. Deploy the Interface config --------------------------------------- 1. Click the Deploy button 2. Select FTD-T and deploy ---------------------------------------------------------- 6. Configure the Access Control Policy to allow traffic ---------------------------------------------------------- Inside - To - Outside - All All IPv4 Traffic ---------------------------------------------- Policies -> Access Control -> Access Control -> ACP-FTD-T -> Edit Add Default Policy Zones: Source Zone: INSIDE-T Destination Zone: OUTSIDE-T Networks: Source: Any-ipv4 Destination: Any-ipv4 Outside - To - Inside - OSPF Traffic ---------------------------------------------- 1. Allow OSPF traffic from R1 (10.20.20.1) towards R3 (10.20.20.3) OR R4 (10.20.20.4) Policies -> Access Control -> Access Control -> ACP-FTD-T -> Edit Add Mandatory Policy Zones: Source Zone: OUTSIDE-T Destination Zone: INSIDE-T Networks: Source: R1 Destination: R3 or R4 Ports: Protocol:89 (OSPF) 2. Allow Telnet/SSH/ICMP traffic from R2 (192.1.20.2) towards R1 (10.11.11.1) Add Rule under Mandatory Policy Source Zone: OUTSIDE-T Destination Zone: INSIDE-T Source Network: Object R1-10.20.20.1 Destination Network: Object R3(10.20.20.3) OR R4(10.20.20.4) OR OSPF-MULTICAST (224.0.0.5-224.0.0.6) Destination Ports: Object: SSH Object: Telnet Object: PING-ICMP (Echo-Request) Save ---------------------------------------------------------- 7. Configure the Routers around FTD-T ---------------------------------------------------------- ---- R1 ---- en config t no ip domain-lookup ! host R1 ! interface E 0/0 ip address 10.11.11.1 255.255.255.0 no shut ! interface E 0/1 ip address 10.20.20.1 255.255.255.0 no shut ! router ospf 1 router-id 0.0.0.1 network 10.0.0.0 0.255.255.255 area 0 ! line vty 0 4 password cisco login transport input all ---- R3 ---- en config t no ip domain-lookup ! host R3 ! interface E 0/0 ip address 10.20.20.3 255.255.255.0 no shut ! interface Loopback1 ip address 10.3.3.3 255.255.255.0 ! router ospf 1 router-id 0.0.0.1 network 10.0.0.0 0.255.255.255 area 0 ! line vty 0 4 password cisco login transport input all ---- R4 ---- en config t no ip domain-lookup ! host R4 ! interface E 0/0 ip address 10.20.20.4 255.255.255.0 no shut ! interface Loopback1 ip address 10.4.4.4 255.255.255.0 ! router ospf 1 router-id 0.0.0.1 network 10.0.0.0 0.255.255.255 area 0 ! line vty 0 4 password cisco login transport input all ************************************************ 2. FTD Failover (High Availability) ************************************************ --------------------------------------------- 1. Normal CLI Initialization of FMC --------------------------------------------- A. Login - (admin/Admin123) B. Configure an IP Address to the Management Interface sudo configure-network IPv4 Address: 192.168.100.50/24 - DGW = 192.168.100.254 --------------------------------------------- 2. Normal CLI Initialization of FTD1 & FTD2 --------------------------------------------- A. Login - (admin/Admin123) B EULA - YES C. Configure an IP Address to the Management Interface FTD1 IPv4 Address: 192.168.100.51/24 - DGW = 192.168.100.254 DNS: None FTD2 IPv4 Address: 192.168.100.52/24 - DGW = 192.168.100.254 DNS: None D. Set the Mode - Routed (Both) E. Configure Manager relationship Both configure manager add 192.168.100.50 cisco123 ******************************* Initialize the FMC ******************************* A. Configure the password : Cisco@123 B. Configure the Hostname : FMC C. Configure the Date, Time & Timezone D. Accept the End User License E. Enable the Evaluation License System -> Licenses -> Smart Licenses F. Enable NTP System -> Configuration -> Time Synchronization ******************************* Integrating FTD's in FMC ******************************* --------------------------------------------- Add FTD1 --------------------------------------------- Devices -> Device Management -> Add Device Host: 192.168.100.51 Name: FTD1 Registration Key: cisco123 Configure the Default Policy with Block All Enable the Licenses and Add --------------------------------------------- Add FTD2 --------------------------------------------- Devices -> Device Management -> Add Device Host: 192.168.100.52 Name: FTD2 Registration Key: cisco123 Configure the Default Policy with Block All Enable the Licenses and Add --------------------------------------------- Create a Management group and add FTD's --------------------------------------------- Devices -> Device Management -> Add Group Name: Perimeter Devices : FTD1 & FTD2 **************************************** Configure High Availability **************************************** ------------------------------------- 1. Configure Failover by adding FTDs ------------------------------------- Devices -> Device Management -> Add High Availability Name: FTD-HA Device Type: Firepower Threat Defense Primary : FTD1 Secondary : FTD2 High Availability Link : Gig0/2 - Use same link for Stateful Link Name: Failover Primary IP: 10.10.10.1 Secondary IP: 10.10.10.2 Subnet Mask: 255.255.255.0 IPSec Encryption Enabled Key: cisco123 --------------------------------------------- 2. Configure Interfaces --------------------------------------------- Devices -> Device Management -> FTD-HA -> Interfaces Gig 0/0 Name: Outside Enabled: Checked Zone: OUTSIDE IP Address (Active): 192.1.20.11/24 Gig 0/1 Name: Inside Enabled: Checked Zone: INSIDE IP Address (Active): 10.11.11.11/24 Devices -> Device Management -> FTD-HA -> High Availability (Standby Address) Outside Interface: 192.1.20.12 Inside Interface: 10.11.11.12 Devices -> Device Management -> FTD-HA -> High Availability (MAC Addresses) Virtual MAC Addresses Gig0/0 Active: 0001.0001.0001 Standby: 0001.0001.0002 Gig0/1 Active: 0002.0002.0001 Standby: 0002.0002.0002 --------------------------------------------- 3. Configure Static Routing --------------------------------------------- Devices -> Device Management -> FTD-HA -> Routing Static Routing: 0.0.0.0/0 -> R2 (192.1.20.2) -> Outside --------------------------------------------- 4. Configure NAT --------------------------------------------- Configure Dynamic Auto NAT using a Outside Range of 192.1.20.51-192.1.20.200 for all Network 10.0.0.0/8 --------------------------------------------- 5. Configure ACP --------------------------------------------- - Allow access from R2 - R1 for Telnet, SSH & Ping - Allow Inside to Outside Access for all traffic originating from NET-10.0.0.0 ************************************************ 3. IPS, File Policies & AMP ************************************************ ========================================================================================= 1. Access Policy Basic Intrusion Prevention ========================================================================================= Policies -> Access Control -> Access Control -> FTD-ACP -> Edit (Pencil) Modify the following ACP rules with Intrusion Prevention based on the default Intrusion policies: ➢ [MailServer & MailServer2 – 25] -> Least Impact ➢ [DNSServer – 53] -> Balanced ➢ [R3 – 22 & 23] -> Security over Connectivity ========================================================================================= 2. Access Policy Custom Intrusion Prevention ========================================================================================= Policies -> Access Control -> Intrusion -> Create Policy” Configure a new Intrusion Policy based on the Balanced default policy. Give it a name of IPS-FTD-MYPOL. Enable the following signatures in the IPS-FTD-MYPOL policy. Click the checkbox to enable the rule and set the action to “Drop & Generate Events” ➢ Signature Name: “APP-DETECT 12P DNS request attempt” ➢ SignatureID: 5999 If a request comes into the Firewall destined the Web Servers, it should be checked against the custom IPS Policy created in the previous step. Policies -> Access Control -> Access Control -> FTD-ACP -> Edit (Pencil) ========================================================================================= 3. Access Policy - File Policy ========================================================================================= Configure a File & Malware Policy called INSIDE-FILE-POLICY to using the following requirements: ➢ Download of any Executable using any protocol – Block with Reset. ➢ Download of any Archive using HTTP – Block with Reset. ➢ Upload of any Executable or Archive Files using any protocol – Block with Reset. ➢ Upload of any .MDB file using any protocol – Block File ➢ Download of any Office Document using any SMTP – Block Malware with Reset. Configure a File & Malware Policy called OUT-2-IN-FILE-POLICY to using the following requirements: Policies -> Access Control -> Malware & File Policy -> New File Policy” ➢ Download of any PDF using the HTTP protocol – Block Malware with Reset. If a request uses the IN-2-OUT ACP policy, it should be checked against the INSIDE-FILE-POLICY created in the previous step. Policies -> Access Control -> Access Control -> FTD-ACP -> Edit (Pencil) Access to the E-mail Servers should be checked against the OUT-2-IN-FILE-POLICY created in the previous step. Policies -> Access Control -> Access Control -> FTD-ACP -> Edit (Pencil)